![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
Tutorial tips
This tutorial is designed for people who have basic knowledge of Web services and associated technologies, such as WSDL and SOAP, who want to learn how to construct a Java Web service with a Microsoft Visual Basic .NET client for it that communicates securely using WS-Security. I begin by using basic authentication and then move on to digital signature and its use for authentication. The development tools I used to create and run the Web service were: IBM(R) WebSphere(R) Studio Application Developer V5.1.0 (Application Developer) and Microsoft Visual Studio .NET 2003 with Web Services Enchancements 1.0 SP1. All my WebSphere work was done on a Microsoft Windows 2000 operating system and the Visual Basic .NET work was done on Microsoft Windows XP. I assume that you have some knowledge of security certificates, what authentication means and how digital signatures are created, although I do give brief explanations. I also assume basic knowledge of IBM WebSphere Application Server, such as being able to turn on security and select user registries. If you would like to take the tutorial but feel unsure about any of these subjects, the resources section has links to appropriate documentation.
For technical questions about the content of this tutorial, contact the author, Hedley Proctor, at proctor@uk.ibm.com.
Uses of basic authentication and digital signature
Basic authentication is a method whereby a user sends a username and password to a server. You will see how to construct a Java Web service that uses basic authentication and invoke it using a Visual Basic .NET client.
The major concern when using basic authentication to invoke a Web service is that the password is sent unencrypted in the SOAP message. While transport-level encryption can be used by sending the message via https, message level encryption is not used. Security can be improved by sending a digest of the password, but there is still an outstanding problem: a third party could alter the message while it is in transit. The username and password would still be correct at the other end, so the recipient would not know. Digital signatures not only let you use message-level encryption, but also ensure that a message cannot be tampered with, and hence provide a much more secure means of authenticating a user. When clients digitally signs their message, they use a hash algorithm to create a digest of the message, which they then encrypt using their private key. They include this encrypted digest and their public key with the message. When the server receives the message, they use the public key to decrypt the digest. The server then compares this with its own hash of the message body. If the two digests match, the server knows two things:
- The message body has not been tampered with.
- The message must have come from the person who claims to have sent it.
You can use XML Digital Signature purely to ensure that messages reaching your Web service are not tampered with, or as a means of authentication. Due to constraints of space, I only have time to do the former in this tutorial. However, I give some pointers as to how you would extend the example to use digital signature for authentication.
Standards for interoperable Web services have been developed by the Web Services Interoperability Organisation (WS-I.org). However, the most important security document is the WS-Security specification, which pre-dates the WS-I. Both .NET and Application Developer base their implementations on it. If you wish to read the specification, the section contains a link to it.
This tutorial shows you how to:
- Create a simple online bookstore Web service in Application Developer, starting from a WSDL, and configure it for basic authentication.
- Create and test a .NET client that invokes this Web service.
- Create a new version of the same Web service using the default security settings for XML Digital Signature with a test Java client.
- Configure the server security settings so that you can use different security certificates.
- Construct a .NET client, configure it to use your own certificate, and use it to invoke the Web service.
Afterwards, I summarize the important points to remember when using Web Services authentication and digital signature.
Table of contents
Next steps from IBM
WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.
- Try: Download a free trial version of IBM WebSphere Portal Express V6.1, which offers collaboration, document management, and secure Web content management.
- Article: This article provides an overview of the WebSphere Portal security architecture, including internet security, and secure connections between clients.
- Tutorial: This tutorial take you through the steps to develop and test your first portlet WebSphere Portal Test Environment.
- Demo: These demos show Web 2.0 features available today within WebSphere Portal, as well as several features planned for the future.
- Buy: IBM WebSphere Portal Express
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular tutorial tags |
My tutorial tagsSkip to tags list
Popular tutorial tags |
My tutorial tags
